oidc-enrollment-hook/src/main/java/org/gcube/portal/oidc/lr62/OpenIdConnectAutoLogin.java

package org.gcube.portal.oidc.lr62;

import java.awt.image.BufferedImage;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Locale;
import java.util.UUID;

import javax.imageio.ImageIO;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.gcube.oidc.URLEncodedContextMapper;
import org.gcube.oidc.rest.JWTToken;
import org.gcube.oidc.rest.OpenIdConnectRESTHelper;

import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.util.LocaleUtil;
import com.liferay.portal.kernel.util.StringPool;
import com.liferay.portal.model.User;
import com.liferay.portal.security.auth.BaseAutoLogin;
import com.liferay.portal.service.ServiceContext;
import com.liferay.portal.service.UserLocalServiceUtil;
import com.liferay.portal.util.PortalUtil;
import com.liferay.util.PwdGenerator;

public class OpenIdConnectAutoLogin extends BaseAutoLogin {

    private static final Log log = LogFactoryUtil.getLog(OpenIdConnectAutoLogin.class);

    private static boolean ASSURE_AVATAR_FORMAT = true;
    private static String DEFAULT_AVATAR_FORMAT = "png";

    @Override
    public String[] doLogin(HttpServletRequest request, HttpServletResponse response) throws Exception {
        if (log.isTraceEnabled() && request.getSession(false) != null) {
            log.trace("Session details: id=" + request.getSession(false).getId() + ", instance="
                    + request.getSession(false));
        }
        JWTToken token = JWTTokenUtil.getOIDCFromRequest(request);
        if (token == null) {
            if (log.isTraceEnabled() && request.getSession(false) != null) {
                log.trace("OIDC token is null. Can't perform auto login");
            }
            return null;
        }
        LiferayOpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request);
        long companyId = PortalUtil.getCompanyId(request);
        long groupId = PortalUtil.getScopeGroupId(request);
        String portalURL = PortalUtil.getPortalURL(request, true);
        User user = createOrUpdateUser(token, companyId, groupId, portalURL, configuration);
        if (user != null) {
            log.info("Applying sites and roles strategy");
            try {
                UserSitesToGroupsAndRolesMapper mapper = new UserSitesToGroupsAndRolesMapper(
                        user, new URLEncodedContextMapper(
                                token.getResourceNameToAccessRolesMap(Arrays.asList(JWTToken.ACCOUNT_RESOURCE))));

                mapper.map();
            } catch (Throwable t) {
                // TODO: to be removed when tested in depth
                log.error("Applying strategy", t);
            }
            log.debug("Returning logged in user's info");
            return new String[] { String.valueOf(user.getUserId()), UUID.randomUUID().toString(), "false" };
        } else {
            log.warn("User is null");
            return null;
        }
    }

    public static User createOrUpdateUser(JWTToken token, long companyId, long groupId, String portalURL,
            LiferayOpenIdConnectConfiguration configuration) throws Exception {

        String email = token.getEmail();
        String given = token.getGiven();
        String family = token.getFamily();
        String subject = token.getSub();
        String username = token.getUserName();
        User user = null;
        try {
            boolean updateUser = false;
            // Search by email first
            user = UserLocalServiceUtil.fetchUserByEmailAddress(companyId, email);
            if (user == null) {
                log.debug("No Liferay user found with email address=" + email + ", trying with openId");
                // Then search by openId, in case user has changed the email address
                user = UserLocalServiceUtil.fetchUserByOpenId(companyId, subject);
                if (user == null) {
                    log.debug("No Liferay user found with openid=" + subject + " and email address=" + email);
                    if (configuration.createUnexistingUser()) {
                        log.info("A new user will be created [email=" + email + ",given=" + given + ",family=" + family
                                + ",subject=" + subject + ",username=" + username);

                        user = addUser(companyId, groupId, portalURL, email, given, family, subject, username);
                    } else {
                        log.info("User will not be created according to configuration");
                        return null;
                    }
                } else {
                    log.info("User found by its openId, the email will be updated");
                    updateUser = true;
                }
            }
            if (user != null) {
                log.debug("User found, updating name details with info from userinfo if changed");
                if (given != user.getFirstName()) {
                    user.setFirstName(given);
                    updateUser = true;
                }
                if (family != user.getLastName()) {
                    user.setLastName(family);
                    updateUser = true;
                }
                if (email != user.getEmailAddress()) {
                    user.setEmailAddress(email);
                    updateUser = true;
                }
            }
            if (updateUser) {
                UserLocalServiceUtil.updateUser(user);
            }

            try {
                byte[] userAvatar = OpenIdConnectRESTHelper.getUserAvatar(configuration.getAvatarURL(), token);
                if (userAvatar != null && userAvatar.length > 0) {
                    if (ASSURE_AVATAR_FORMAT) {
                        log.debug("Assuring avatar image format as: " + DEFAULT_AVATAR_FORMAT);
                        log.debug("Reading image stream with length: " + userAvatar.length);
                        BufferedImage bi = ImageIO.read(new ByteArrayInputStream(userAvatar));
                        if (bi != null) {
                            ByteArrayOutputStream baos = new ByteArrayOutputStream();
                            log.debug("Converting avatar stream image format to: " + DEFAULT_AVATAR_FORMAT);
                            ImageIO.write(bi, DEFAULT_AVATAR_FORMAT, baos);
                            baos.flush();
                            baos.close();
                            log.debug("Reading converted image from the BAOS");
                            userAvatar = baos.toByteArray();
                        } else {
                            log.warn("Buffered image read is null!");
                        }
                    }
                    log.debug("Saving the retrieved avatar as user's portrait");
                    UserLocalServiceUtil.updatePortrait(user.getUserId(), userAvatar);
                } else {
                    log.debug("Deleting the user's portrait since no avatar has been found for the user");
                    UserLocalServiceUtil.deletePortrait(user.getUserId());
                }
            } catch (Throwable t) {
                log.error("Cannot save/update/delete user's portrait", t);
            }
        } catch (SystemException | PortalException e) {
            throw new RuntimeException(e);
        }
        return user;
    }

    public static User addUser(long companyId, long groupId, String portalURL, String emailAddress, String firstName,
            String lastName, String openid, String username) throws SystemException, PortalException {

        Locale locale = LocaleUtil.getMostRelevantLocale();
        long creatorUserId = 0;
        boolean autoPassword = false;
        String password1 = PwdGenerator.getPassword();
        String password2 = password1;
        boolean autoScreenName = username == null;
        String screenName = StringPool.BLANK;
        if (autoScreenName) {
            log.debug("Screen name will be auto-generated");
        } else {
            log.debug("Screen name will be set to: " + username);
            screenName = username;
        }
        long facebookId = 0;
        String openId = openid;
        String middleName = StringPool.BLANK;
        int prefixId = 0;
        int suffixId = 0;
        boolean male = true;
        int birthdayMonth = Calendar.JANUARY;
        int birthdayDay = 1;
        int birthdayYear = 1970;
        String jobTitle = StringPool.BLANK;
        long[] groupIds = null;
        long[] organizationIds = null;
        long[] roleIds = null;
        long[] userGroupIds = null;
        boolean sendEmail = false;
        ServiceContext serviceContext = new ServiceContext();
        serviceContext.setScopeGroupId(groupId);
        serviceContext.setPortalURL(portalURL);

        User user = UserLocalServiceUtil.addUser(creatorUserId, companyId, autoPassword, password1, password2,
                autoScreenName, screenName, emailAddress, facebookId, openId, locale, firstName, middleName, lastName,
                prefixId, suffixId, male, birthdayMonth, birthdayDay, birthdayYear, jobTitle, groupIds, organizationIds,
                roleIds, userGroupIds, sendEmail, serviceContext);

        // No password
        user.setPasswordReset(false);
        // email is already verified by oidc provider
        user.setEmailAddressVerified(true);
        // No reminder query at first login.
        user.setReminderQueryQuestion("x");
        user.setReminderQueryAnswer("y");
        UserLocalServiceUtil.updateUser(user);
        return user;
    }

}
Now request server name is used as clientId for OIDC authentication and packages renamed from com.nubisware.* to org.gcube.* 2020-06-18 12:21:36 +02:00			`package org.gcube.portal.oidc.lr62;`
Intial GIT commit 2020-05-21 15:48:12 +02:00
Now avatar file format can be forced to be a specific format (default PNG) if needed (default ON) 2020-09-04 18:30:03 +02:00			`import java.awt.image.BufferedImage;`
			`import java.io.ByteArrayInputStream;`
			`import java.io.ByteArrayOutputStream;`
Intial GIT commit 2020-05-21 15:48:12 +02:00			`import java.util.Arrays;`
			`import java.util.Calendar;`
			`import java.util.Locale;`
			`import java.util.UUID;`

Now avatar file format can be forced to be a specific format (default PNG) if needed (default ON) 2020-09-04 18:30:03 +02:00			`import javax.imageio.ImageIO;`
Intial GIT commit 2020-05-21 15:48:12 +02:00			`import javax.servlet.http.HttpServletRequest;`
			`import javax.servlet.http.HttpServletResponse;`

Now request server name is used as clientId for OIDC authentication and packages renamed from com.nubisware.* to org.gcube.* 2020-06-18 12:21:36 +02:00			`import org.gcube.oidc.URLEncodedContextMapper;`
			`import org.gcube.oidc.rest.JWTToken;`
Added avatar retrieve/update at every login (#19726) 2020-08-12 20:14:54 +02:00			`import org.gcube.oidc.rest.OpenIdConnectRESTHelper;`
Now request server name is used as clientId for OIDC authentication and packages renamed from com.nubisware.* to org.gcube.* 2020-06-18 12:21:36 +02:00
Intial GIT commit 2020-05-21 15:48:12 +02:00			`import com.liferay.portal.kernel.exception.PortalException;`
			`import com.liferay.portal.kernel.exception.SystemException;`
			`import com.liferay.portal.kernel.log.Log;`
			`import com.liferay.portal.kernel.log.LogFactoryUtil;`
			`import com.liferay.portal.kernel.util.LocaleUtil;`
			`import com.liferay.portal.kernel.util.StringPool;`
			`import com.liferay.portal.model.User;`
			`import com.liferay.portal.security.auth.BaseAutoLogin;`
			`import com.liferay.portal.service.ServiceContext;`
			`import com.liferay.portal.service.UserLocalServiceUtil;`
			`import com.liferay.portal.util.PortalUtil;`
			`import com.liferay.util.PwdGenerator;`

			`public class OpenIdConnectAutoLogin extends BaseAutoLogin {`

			`private static final Log log = LogFactoryUtil.getLog(OpenIdConnectAutoLogin.class);`

Now avatar file format can be forced to be a specific format (default PNG) if needed (default ON) 2020-09-04 18:30:03 +02:00			`private static boolean ASSURE_AVATAR_FORMAT = true;`
			`private static String DEFAULT_AVATAR_FORMAT = "png";`

Intial GIT commit 2020-05-21 15:48:12 +02:00			`@Override`
			`public String[] doLogin(HttpServletRequest request, HttpServletResponse response) throws Exception {`
Beta version 2020-05-29 13:03:07 +02:00			`if (log.isTraceEnabled() && request.getSession(false) != null) {`
			`log.trace("Session details: id=" + request.getSession(false).getId() + ", instance="`
			`+ request.getSession(false));`
			`}`
			`JWTToken token = JWTTokenUtil.getOIDCFromRequest(request);`
Intial GIT commit 2020-05-21 15:48:12 +02:00			`if (token == null) {`
Typo fixed and log level lowered 2020-05-29 15:02:25 +02:00			`if (log.isTraceEnabled() && request.getSession(false) != null) {`
			`log.trace("OIDC token is null. Can't perform auto login");`
			`}`
Intial GIT commit 2020-05-21 15:48:12 +02:00			`return null;`
			`}`
			`LiferayOpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request);`
			`long companyId = PortalUtil.getCompanyId(request);`
			`long groupId = PortalUtil.getScopeGroupId(request);`
			`String portalURL = PortalUtil.getPortalURL(request, true);`
			`User user = createOrUpdateUser(token, companyId, groupId, portalURL, configuration);`
			`if (user != null) {`
			`log.info("Applying sites and roles strategy");`
			`try {`
			`UserSitesToGroupsAndRolesMapper mapper = new UserSitesToGroupsAndRolesMapper(`
			`user, new URLEncodedContextMapper(`
			`token.getResourceNameToAccessRolesMap(Arrays.asList(JWTToken.ACCOUNT_RESOURCE))));`

			`mapper.map();`
			`} catch (Throwable t) {`
			`// TODO: to be removed when tested in depth`
			`log.error("Applying strategy", t);`
			`}`
			`log.debug("Returning logged in user's info");`
			`return new String[] { String.valueOf(user.getUserId()), UUID.randomUUID().toString(), "false" };`
			`} else {`
			`log.warn("User is null");`
			`return null;`
			`}`
			`}`

			`public static User createOrUpdateUser(JWTToken token, long companyId, long groupId, String portalURL,`
			`LiferayOpenIdConnectConfiguration configuration) throws Exception {`

			`String email = token.getEmail();`
			`String given = token.getGiven();`
			`String family = token.getFamily();`
			`String subject = token.getSub();`
Screenname is the OIDC user's username (if provided) for new users 2020-07-01 19:35:20 +02:00			`String username = token.getUserName();`
Intial GIT commit 2020-05-21 15:48:12 +02:00			`User user = null;`
			`try {`
			`boolean updateUser = false;`
			`// Search by email first`
			`user = UserLocalServiceUtil.fetchUserByEmailAddress(companyId, email);`
			`if (user == null) {`
			`log.debug("No Liferay user found with email address=" + email + ", trying with openId");`
			`// Then search by openId, in case user has changed the email address`
			`user = UserLocalServiceUtil.fetchUserByOpenId(companyId, subject);`
			`if (user == null) {`
			`log.debug("No Liferay user found with openid=" + subject + " and email address=" + email);`
			`if (configuration.createUnexistingUser()) {`
Added some info of the user is about to create in the logs expecially for screen name (autogenerated or externally provided) 2021-01-12 14:41:50 +01:00			`log.info("A new user will be created [email=" + email + ",given=" + given + ",family=" + family`
			`+ ",subject=" + subject + ",username=" + username);`

Screenname is the OIDC user's username (if provided) for new users 2020-07-01 19:35:20 +02:00			`user = addUser(companyId, groupId, portalURL, email, given, family, subject, username);`
Intial GIT commit 2020-05-21 15:48:12 +02:00			`} else {`
			`log.info("User will not be created according to configuration");`
			`return null;`
			`}`
			`} else {`
			`log.info("User found by its openId, the email will be updated");`
			`updateUser = true;`
			`}`
			`}`
			`if (user != null) {`
			`log.debug("User found, updating name details with info from userinfo if changed");`
			`if (given != user.getFirstName()) {`
			`user.setFirstName(given);`
			`updateUser = true;`
			`}`
			`if (family != user.getLastName()) {`
			`user.setLastName(family);`
			`updateUser = true;`
			`}`
			`if (email != user.getEmailAddress()) {`
			`user.setEmailAddress(email);`
			`updateUser = true;`
			`}`
			`}`
			`if (updateUser) {`
			`UserLocalServiceUtil.updateUser(user);`
			`}`
Added avatar retrieve/update at every login (#19726) 2020-08-12 20:14:54 +02:00
Added try/catch arounf portrait save/delete operation to avoid CNFE for `com.sun.image.codec.jpeg.ImageFormatException`. 2020-08-18 12:18:03 +02:00			`try {`
			`byte[] userAvatar = OpenIdConnectRESTHelper.getUserAvatar(configuration.getAvatarURL(), token);`
Now avatar file format can be forced to be a specific format (default PNG) if needed (default ON) 2020-09-04 18:30:03 +02:00			`if (userAvatar != null && userAvatar.length > 0) {`
			`if (ASSURE_AVATAR_FORMAT) {`
			`log.debug("Assuring avatar image format as: " + DEFAULT_AVATAR_FORMAT);`
			`log.debug("Reading image stream with length: " + userAvatar.length);`
			`BufferedImage bi = ImageIO.read(new ByteArrayInputStream(userAvatar));`
			`if (bi != null) {`
			`ByteArrayOutputStream baos = new ByteArrayOutputStream();`
			`log.debug("Converting avatar stream image format to: " + DEFAULT_AVATAR_FORMAT);`
			`ImageIO.write(bi, DEFAULT_AVATAR_FORMAT, baos);`
			`baos.flush();`
			`baos.close();`
			`log.debug("Reading converted image from the BAOS");`
			`userAvatar = baos.toByteArray();`
			`} else {`
			`log.warn("Buffered image read is null!");`
			`}`
			`}`
Added try/catch arounf portrait save/delete operation to avoid CNFE for `com.sun.image.codec.jpeg.ImageFormatException`. 2020-08-18 12:18:03 +02:00			`log.debug("Saving the retrieved avatar as user's portrait");`
			`UserLocalServiceUtil.updatePortrait(user.getUserId(), userAvatar);`
			`} else {`
			`log.debug("Deleting the user's portrait since no avatar has been found for the user");`
			`UserLocalServiceUtil.deletePortrait(user.getUserId());`
			`}`
			`} catch (Throwable t) {`
			`log.error("Cannot save/update/delete user's portrait", t);`
Added avatar retrieve/update at every login (#19726) 2020-08-12 20:14:54 +02:00			`}`
Intial GIT commit 2020-05-21 15:48:12 +02:00			`} catch (SystemException \| PortalException e) {`
			`throw new RuntimeException(e);`
			`}`
			`return user;`
			`}`

			`public static User addUser(long companyId, long groupId, String portalURL, String emailAddress, String firstName,`
Screenname is the OIDC user's username (if provided) for new users 2020-07-01 19:35:20 +02:00			`String lastName, String openid, String username) throws SystemException, PortalException {`
Intial GIT commit 2020-05-21 15:48:12 +02:00
			`Locale locale = LocaleUtil.getMostRelevantLocale();`
			`long creatorUserId = 0;`
			`boolean autoPassword = false;`
			`String password1 = PwdGenerator.getPassword();`
			`String password2 = password1;`
Screenname is the OIDC user's username (if provided) for new users 2020-07-01 19:35:20 +02:00			`boolean autoScreenName = username == null;`
Intial GIT commit 2020-05-21 15:48:12 +02:00			`String screenName = StringPool.BLANK;`
Added some info of the user is about to create in the logs expecially for screen name (autogenerated or externally provided) 2021-01-12 14:41:50 +01:00			`if (autoScreenName) {`
			`log.debug("Screen name will be auto-generated");`
			`} else {`
			`log.debug("Screen name will be set to: " + username);`
Screenname is the OIDC user's username (if provided) for new users 2020-07-01 19:35:20 +02:00			`screenName = username;`
			`}`
Intial GIT commit 2020-05-21 15:48:12 +02:00			`long facebookId = 0;`
			`String openId = openid;`
			`String middleName = StringPool.BLANK;`
			`int prefixId = 0;`
			`int suffixId = 0;`
			`boolean male = true;`
			`int birthdayMonth = Calendar.JANUARY;`
			`int birthdayDay = 1;`
			`int birthdayYear = 1970;`
			`String jobTitle = StringPool.BLANK;`
			`long[] groupIds = null;`
			`long[] organizationIds = null;`
			`long[] roleIds = null;`
			`long[] userGroupIds = null;`
			`boolean sendEmail = false;`
			`ServiceContext serviceContext = new ServiceContext();`
			`serviceContext.setScopeGroupId(groupId);`
			`serviceContext.setPortalURL(portalURL);`

			`User user = UserLocalServiceUtil.addUser(creatorUserId, companyId, autoPassword, password1, password2,`
			`autoScreenName, screenName, emailAddress, facebookId, openId, locale, firstName, middleName, lastName,`
			`prefixId, suffixId, male, birthdayMonth, birthdayDay, birthdayYear, jobTitle, groupIds, organizationIds,`
			`roleIds, userGroupIds, sendEmail, serviceContext);`

			`// No password`
			`user.setPasswordReset(false);`
Added some info of the user is about to create in the logs expecially for screen name (autogenerated or externally provided) 2021-01-12 14:41:50 +01:00			`// email is already verified by oidc provider`
Intial GIT commit 2020-05-21 15:48:12 +02:00			`user.setEmailAddressVerified(true);`
			`// No reminder query at first login.`
			`user.setReminderQueryQuestion("x");`
			`user.setReminderQueryAnswer("y");`
			`UserLocalServiceUtil.updateUser(user);`
			`return user;`
			`}`

			`}`